Multiparty Contracts: Agreeing and Implementing ... - CiteSeerX

Multiparty Contracts: Agreeing and Implementing Interorganizational Processes Wil M.P. van der Aalst1 , Peter Massuthe2 , Christian Stahl2,⋆ , and Karsten Wolf3 1

Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands [email protected]

2

Humboldt-Universit¨ at zu Berlin, Institut f¨ ur Informatik Unter den Linden 6, 10099 Berlin, Germany {massuthe, stahl}@informatik.hu-berlin.de 3

Universit¨ at Rostock, Institut f¨ ur Informatik 18051 Rostock, Germany [email protected]

Abstract. A contract specifies an interorganizational process together with a distribution of responsibilities for the activities among the parties involved. In this paper, we formally show how a party can implement its part of the contract such that the implementation accords with the contract. We propose a formal notion of a contract and give a criterion for accordance between a local implementation and a contract such that, if all local implementations accord with the contract, the overall process is deadlock-free and it is always possible to terminate properly. Then, we sketch a technique for automatically checking the proposed accordance criterion. Finally, we present accordance-preserving transformation rules. These rules can be used to implement a part of the contract while preserving the accordance criterion.

1

Introduction

Today’s corporations often must operate across organizational boundaries. Phenomena such as e-commerce, extended enterprises, and service-oriented computing stimulate cooperation between organizations [1–8]. Therefore, the importance of workflows distributed over a number of organizations is increasing [9–12]. Interorganizational workflow support offers companies the opportunity to re-shape business processes beyond the boundaries of their own organizations. However, interorganizational workflows are typically subject to conflicting constraints. On the one hand, there is a strong need for coordination to optimize the flow of work in and between the different organizations. On the other hand, the organizations involved are essentially autonomous and have the freedom to create or modify ⋆

Funded by the DFG project “Substitutability of Services” (RE 834/16-1).

workflows at any point in time. To address this issue, the notion of a contract in the form of an agreed upon process model was introduced in [9, 10], for instance. To illustrate the idea of having a contract, we use the example shown in Fig. 1(a). The example shows a contract expressed in terms of a Petri net [13]. The Petri net is partitioned over three parties: customer, supplier, and shipper. Each party has a part of the contract which can be seen as a service. Different services are connected through interface places that model asynchronous message passing. Interface places model message buffers and are depicted on dashed lines in Fig. 1(a). As a formalism, we use open workflow nets (oWFNs) [14] which extend the well known concept of workflow nets (WFNs) [15] with interface places. However, the concepts are not limited to oWFNs and can be translated into other languages using message passing as a communication paradigm.

p15

p7

p1

p8

f

p1 p16

o

g

p21

x

p22

a notification

order

p

p10

h delivery address

i

p12

k

l

priority shipment request

p17

p18

p4

p13

p24 delivery address

c

confirmation shipment

invoice

y

p19

r

c

b

p3

q

j

p11

a p23

normal shipment request

b p3

order

p9

p2

invoice p4

d

d payment

m

p14

n

payment

p5

p5

s t

e

e

shipment

shipment

p6 customer

p20 supplier

shipper

(a) oWFN modeling the contract between customer (N cust ), supplier (N supp ), and shipper (N ship ).

p6 modified customer

(b) oWFN of the modified customer (N ′cust ).

Fig. 1. The running example.

In our example, the customer creates an order (transition a). As a result, the supplier sends a notification to the shipper (transition g). After sending the order, the customer sends the delivery address. Then, the supplier makes a choice by selecting the desired form of shipment. This is signaled to the shipper by sending either a normal shipment request or a priority shipment request. In case of a priority shipment, the shipper sends a confirmation shipment to the supplier 2

and only then the supplier sends an invoice to the customer. For normal orders, there is no confirmation and the invoice can be sent immediately. Then, the customer pays (payment) and receives the shipment. Assuming a contract as shown in Fig. 1(a), each party will implement its part (its public view ) of the contract. Clearly, the implemented version, the private view, may deviate significantly from the public view. For example, the task represented by transition a may be implemented by a subprocess containing dozens of detailed activities that are only of local interest. Obviously, this local modification has to accord with the contract. In [10], however, it was shown that this local modification is a nontrivial task as it may cause global errors such as deadlocks. For example, changing the order of transitions d and e in Fig. 1(a) leads to a deadlock in the process. To guide the user during the modification process, in earlier work [16, 17], it has been proposed to use projection inheritance for WFNs for relating the actual realization of a contract to the contract itself [9, 10]. Projection inheritance (see [16, 17]) uses abstraction and branching bisimulation as a mechanism to establish subclass-superclass relationships between processes. In contrast to many other notions of inheritance, it primarily addresses the dynamic behavior rather than data types or method signatures. It was proven that if private and public view are related by projection inheritance, then the party can execute this private view and other parties are not effected by this change. Based on this notion, several inheritance-preserving transformation rules have been defined. These rules correspond to design patterns when extending a superclass to incorporate new behavior: (1) adding loops, (2) inserting methods in-between existing methods, and (3) putting new methods in parallel with existing methods. They can be used by a party to implement its part of the contract while preserving projection inheritance. However, it turns out that in practice the notion of projection inheritance is too restrictive. This is mainly caused by the fact that projection inheritance looks at “methods” rather than the exchange of messages. For example, when messages are sent, their order does not really matter. This is caused by the fact that we consider asynchronous message passing; that is, messages may be consumed in a different order than they were produced. Nevertheless, projection inheritance will differentiate between the different orderings of sending messages. As an example, N ′cust in Fig. 1(b) is a valid implementation of the net N cust in Fig. 1(a). In N cust , the customer first sends the order and then the address information. In N ′cust , these two messages are sent concurrently. However, this change does not raise any problems for the other parties. Consequently, any environment that can cooperate with the public view can also cooperate with this private view. However, N cust and N ′cust are not related by projection inheritance. The contribution of this paper is threefold. Firstly, we present a more generic notion of a contract using oWFNs. In contrast to WFNs, oWFNs explicitly model the interface and have less syntactical restrictions. Secondly, we define a notion of accordance between an implementation of a contract and the contract itself. An oWFN N ′ accords with an oWFN N if it has the same set of interface places and any environment that can cooperate with N can also cooperate with 3

N ′ . Moreover, we show how accordance can be computed for acyclic finite state oWFNs. Thirdly, we prove that projection inheritance implies accordance. As a consequence, inheritance-preserving transformation rules presented in [9, 10, 16, 17] imply accordance. However, we also provide additional (more powerful) transformation rules that guarantee accordance but do not preserve projection inheritance. The remainder of this paper is structured as follows. Section 2 defines oWFNs and contracts. The notion of accordance is defined in Sect. 3 where it is applied to relate the private and public views of a contract. Section 4 presents an algorithm to decide accordance using operating guidelines. Section 5 discusses the relation between projection inheritance and accordance and accordance-preserving transformation rules. Related work is presented in Sect. 6. Finally, Sect. 7 draws the conclusion.

2

Formalizing Contracts

An interorganizational process couples interacting processes handled by different parties. To design the overall process, the involved parties specify a public view of this process together with a distribution of responsibilities for the activities among them (i.e., a partitioning). The public view and its partitioning serve as a contract. Each party will modify its part of the process; that is, it will implement a private view of its part. Obviously, this local modification has to stand to the contract, meaning, the behavior of this part has to be preserved. In [10], it was shown that this local modification is a nontrivial task, as local changes may cause global faults such as deadlocks. Therefore, a formal framework, which guides the user during the modification process, is needed. For specifying the overall interorganizational process and the processes it consists of, we use the concept of open workflow nets (oWFNs) [14]. We consider the overall process as self-contained. This fact is reflected by its representation as an oWFN with empty interface. An immediate alternative to our approach would be to represent a process within the much more established framework of workflow nets. This framework would, however, cause more involved technicalities for the approach presented below. Thus, we use oWFNs in the technical parts of the paper and discuss the implications for workflow nets (e.g., to [18]) in a more pragmatic fashion later on. We start with the definition of classical (place/transition) Petri nets (see [13], for instance) and define then oWFNs. Definition 1 (Petri net). A Petri net N = (P, T, F, m0 ) consists of – two finite and disjoint sets P and T of places and transitions, – a flow relation F ⊆ (P × T ) ∪ (T × P ), for which we introduce the following notation to denote the preset and postset of places and transitions: • x = {y | (y, x) ∈ F } and x• = {y | (x, y) ∈ F }, and – an initial marking m0 , where a marking is a mapping m : P → .

N

4

As usual, places are depicted as circles, transitions as boxes, the flow relation as arrows, and markings as distributions of (black) tokens on the places. The behavior of Petri nets is defined next. A transition is enabled if each place of its preset holds at least a token. An enabled transition t can fire in a marking m by consuming tokens from the preset places and producing tokens for the postset places, yielding a marking m′ . Definition 2 (Behavior of Petri nets). Let N = (P, T, F, m0 ) be a Petri net. Transition t ∈ T is enabled in marking m if, for all p ∈ • t, m(p) > 0. If t is enabled, it can fire leading to marking m′ , where m′ (p) = m(p) − 1 for p ∈ • t \ t• , m′ (p) = m(p) + 1 for p ∈ t• \ • t, and m′ (p) = m(p), othert wise. The described firing relation is denoted m − → m′ . A marking m′ is reachable from a marking m if there is a sequence t1 , . . . , tn of transitions and a sequence m = m1 , . . . , mn+1 = m′ of markings such that, for all i ∈ {1, . . . , n}, ti mi − → mi+1 . With RGN (m) we denote the set of markings that can be reached from m by firing any number of transitions. Now we define oWFNs, a special class of Petri nets. Definition 3 (Open workflow net). An open workflow net is a Petri net N = (P, T, F, m0 ) together with – an interface defined as a set I ⊆ P of input places such that • p = ∅ for any p ∈ I and a set O ⊆ P of output places such that p• = ∅ for any p ∈ O and I ∩ O = ∅, – a set Ω of final markings such that no transition of N is enabled in any m ∈ Ω. We further require that m ∈ Ω ∪ {m0 } implies m(p) = 0 for all p ∈ I ∪ O; that is, in the initial and the final markings the interface places are not marked. We use indices to distinguish the constituents of different oWFNs (e.g., Ij refers to the set of input places of oWFN Nj ). As an example, the whole process shown in Fig. 1(a) represents an oWFN with I = O = ∅. N cust in Fig. 1(a) is an oWFN with interface I = {invoice, shipment} and O = {order, delivery address, payment}. In the definition of oWFNs, interfaces do not play a distinguishing role. This is possible because, when composing oWFNs, the interface places of one oWFN are connected to the interface places of other oWFNs. As a result, the interface places can be internalized and no special provision is needed for them. In other words, the semantics of an open system is only defined when the open system is closed by adding an appropriate environment. The role of the interface itself is clarified through the concept of composition further down in this section. In order to assign a reasonable meaning to final markings, we restrict our approach to such oWFNs where a marking in Ω does not enable any transition. For the oWFN depicted in Fig. 1(a) we have m0 = [p1 , p7 , p15 ] and we define Ω = {[p6 , p20 ]}. It is easy to check that, for any marking reachable from the initial marking shown in Fig. 1(a), the final marking is reachable. This means 5

that it is always possible to terminate properly. This property is formalized in the following definition. Definition 4 (Weak termination). Let N be an oWFN with empty interface (I = O = ∅). N weakly terminates if, from every marking reachable from the initial marking, a final marking can be reached. For the composition of oWFNs, we assume that all constituents (except the interfaces) are pairwise disjoint. This requirement can be easily achieved by renaming. In contrast, the interfaces intentionally overlap. For a reasonable concept of composition of oWFNs it is, however, convenient to require that all communication is bilateral; that is, every interface place p ∈ I ∪ O has only one party that sends into p and one party that receives from p. For a third party C, a communication taking place inside the composition of parties A and B is internal matter. These considerations lead to the following definitions of composable and composition. Definition 5 (Composable set of oWFNs). Let N1 , . . . , Nk be oWFNs with pairwise disjoint constituents, except for the interfaces. N1 , . . . , Nk are composable if, for all i ∈ {1, . . . , k}, – p ∈ Ii implies that there is no j 6= i such that p ∈ Ij and there is at most one j such that p ∈ Oj , and – p ∈ Oi implies that there is no j = 6 i such that p ∈ Oj and there is at most one j such that p ∈ Ij . Definition 6 (Composition of oWFNs). Let N1 , . . . , Nk be a composable set of oWFNs. The composition N = N1 ⊕ · · · ⊕ Nk is the oWFN with the following constituents: – – – – – – –

P = P1 ∪ · · · ∪ Pk , T = T1 ∪ · · · ∪ Tk , F = F1 ∪ · · · ∪ Fk , I = (I1 ∪ · · · ∪ Ik ) \ (O1 ∪ · · · ∪ Ok ), O = (O1 ∪ · · · ∪ Ok ) \ (I1 ∪ · · · ∪ Ik ), m0 = m01 ⊕ · · · ⊕ m0k , and Ω = {m1 ⊕ · · · ⊕ mk | m1 ∈ Ω1 , . . . , mk ∈ Ωk }.

For markings m1 ∈ N1 , . . . , mk ∈ Nk which do not mark the interface places, their composition m = m1 ⊕ · · · ⊕ mk is defined by m(p) = mi (p) if p ∈ Pi . Fig. 1(a) can be interpreted as a single oWFN with an empty interface or as three oWFNs: N cust , N supp , and N ship . Places on the dashed lines are the interface places of each of the three oWFNs. We assume the final marking of the oWFNs being [p6 ], [ ] (i.e., the empty marking), and [p20 ], respectively. Clearly, the three oWFNs are composable: N = N cust ⊕ N supp ⊕ N ship is the overall contract shown in Fig. 1(a). Note that any subset of a set of composable oWFNs is composable as well. Furthermore, we have N1 ⊕ N2 ⊕ N3 = (N1 ⊕ N2 ) ⊕ N3 = N1 ⊕ (N2 ⊕ N3 ), and 6

N1 ⊕N2 = N2 ⊕N1 . In other words, the composition of oWFNs is associative and commutative. Thus, composition of a set of oWFNs can be broken into single steps without affecting the final result. Basically, we see a contract as an oWFN where every activity is assigned to one of the involved parties. We impose only one restriction: If a place is accessed by more than one party, it should act as a directed bilateral communication place; that is, one party produces tokens, another party consumes tokens, and there is no third party accessing the place. In the following, |X| denotes the cardinality of a set X. Definition 7 (Contract). Let A be a set representing the parties involved in a contract. Then, a contract [N, r] consists of an oWFN N = (P, T, F, I, O, m0 , Ω) with an empty interface (I = O = ∅) (the agreed public view of the process) and a mapping r ∈ T → A (the partitioning) such that, for all places p ∈ P , |{r(t) | t ∈ • p}| ≤ 1 and |{r(t) | t ∈ p• }| ≤ 1. For technical purposes, we further require that N has only one final marking, Ω = {mf }. The oWFN shown in Fig. 1(a) is an example of a contract involving A = {customer, supplier, shipper}. The dashed lines in the figure show the partitioning of transitions over the parties involved in the contract; r(a) = customer, r(f) = supplier and r(l) = shipper, for instance. A contract can be cut into parts, each representing the agreed share of a single party. Every part is an oWFN, this time typically with a nonempty interface. In accordance with terminology of service-oriented computing [8], we consider the contribution of a party to an interorganizational business process as a service. Correspondingly, the agreed version (specification) of the service is called public view while an actual local implementation is called private view of the service. Definition 8 (Public view). Let [N, r] be a contract with N = (P, T, F, I, O, m0 , Ω), Ω = {mf }, and r ∈ T → A, and let A ∈ A be a party. The public view of A’s share in the contract is the oWFN NA where – – – – – – –

PA = {p ∈ P | ∃t ∈ • p ∪ p• : r(t) = A}, TA = {t ∈ T | r(t) = A}, FA = F ∩ ((PA × TA ) ∪ (TA × PA )), IA = {p ∈ PA | ∃t ∈ • p : r(t) 6= A}, OA = {p ∈ PA | ∃t ∈ p• : r(t) 6= A}, m0A = m0|PA (i.e., the restriction of m0 to the places in PA ), and ΩA = {mf |PA }.

The contract shown in Fig. 1(a) involves three parties. Hence, there are three public views on the contract: N cust , N supp , and N ship . N ′cust shown in Fig. 1(b) is an example of a private view of N cust in Fig. 1(a). The private views N ′supp and N ′ship are not provided here. For a set A = {A1 , . . . , Ak } of parties and a contract [N, r], it is easy to see that NA1 ⊕ · · · ⊕ NAk = N . In this respect, the restriction that Ω contains only one element is indeed crucial, as otherwise NA1 ⊕ · · · ⊕ NAk could have final 7

markings which result from recombining final markings of different parties but which are not final markings of N . It should be noted that the definition of a contract is much more generic than the definition given in [9, 10]. In [9, 10], both the public and private view need to be workflow nets [15]; that is, Petri nets with a unique source and sink place, and with every node on a path from source to sink. In this paper, we do not impose such syntactical restrictions. Nevertheless, it may be wise to “massage” the contract such that each of the resulting public views is in fact connected. This can easily be done by adding implicit places as shown in [9, 10]. The implicit places do not change the behavior of the contract. However, when partitioning the contract into public views, the resulting oWFNs more clearly show the responsibilities of each partner.

3

Accordance Between Public and Private View

In this section, we define the notion of accordance. This criterion is used to compare the public view (agreed specification of the service) and the private view (actual implementation of the service) on a party’s share of a contract. The goal of the accordance notion is to preserve weak termination (see Def. 4) of the overall process N . Formally, weak termination of N and accordance of each private view NA′ with the corresponding public view NA should imply weak termination of NA′ 1 ⊕ · · · ⊕ NA′ k which models the overall process as actually implemented. Consider for example the weakly terminating contract shown in Fig. 1(a) which is split into three public views: N cust , N supp , and N ship . If each of these public views is replaced by a private view such that the private view accords with the public view, then the composition of these private views N ′cust ⊕ N ′supp ⊕ N ′ship should yield a weakly terminating oWFN. To define a suitable notion of accordance, we introduce the concept of strategies. Definition 9 (Strategy). An oWFN N is a strategy for an oWFN N ′ if N ⊕ N ′ is weakly terminating. Strat(N ) denotes the set of all strategies of N . Note that Strat(N ) may correspond to a large (in fact infinite) set of oWFNs; that is, it is the set of all potential partners of N . N cust in Fig. 1(a) and N ′cust in Fig. 1(b) are two examples of strategies for N supp ⊕ N ship . If [N, r] is a contract with A = {A1 , . . . , Ak } and N is weakly terminating, then NA1 ⊕. . .⊕NAi−1 ⊕NAi+1 ⊕. . .⊕NAk is a strategy for NAi . These properties of the strategy concept justify the following definition of accordance. Definition 10 (Accordance). An oWFN N ′ (private view) accords with an oWFN N (public view) if it has the same interface (I ′ = I and O′ = O) and has at least the strategies that N has; that is, Strat(N ′ ) ⊇ Strat(N ). N cust can be seen as the public view and N ′cust as the private view. Clearly, accords with N cust (and vice versa). The following theorem shows that N cust can be substituted by N ′cust without jeopardizing weak termination in the contract. N ′cust

8

Theorem 1 (Implementation of a contract). Let [N, r] be a contract between parties {A1 , . . . , Ak } where N is weakly terminating. If, for all i ∈ {1, . . . , k}, NA′ i (the private view of Ai ) accords with NAi (the public view of Ai ), then N ′ = NA′ 1 ⊕ · · · ⊕ NA′ k (the actual implementation) is weakly terminating. Proof. Let {A1 , . . . , Ak } be the set of involved parties and N (j) = NA′ 1 ⊕ · · · ⊕ NA′ j ⊕ NAj+1 ⊕ · · · ⊕ NAk for j ∈ {0, . . . , k}. Note that N (0) = NA1 ⊕ · · · ⊕ NAk = N and N (k) = NA′ 1 ⊕ · · · ⊕ NA′ k = N ′ . We show by induction that N (j) is weakly terminating for any j ∈ {0, . . . , k}. Clearly, this holds for j = 0: N (0) = N is weakly terminating. Assume that N (j) is weakly terminating and 0 ≤ j < k. Let N ′ = NA′ 1 ⊕ · · · ⊕ NA′ j ⊕ NAj+2 ⊕ · · · ⊕ NAk ; that is, N (j) without NAj+1 . N ′ is a strategy for NAj+1 since N (j) = N ′ ⊕ NAj+1 is weakly terminating; that is, N ′ ∈ Strat(NAj+1 ). Since NA′ j+1 (the private view) accords with NAj+1 (the public view), Strat(NAj+1 ) ⊆ Strat(NA′ j+1 ). Hence, N ′ ∈ Strat(NAj+1 ) ⊆ Strat(NA′ j+1 ), indicating that N ′ is a strategy for NA′ j+1 . Therefore, N ′ ⊕ NA′ j+1 = N (j + 1) is weakly terminating. By induction this implies that N (j) is weakly terminating for any j including j = k. Hence, N ′ = N (k) is weakly terminating.  The value of the theorem is that it gives each party a criterion (accordance of NA′ i with NAi ) that can be locally verified for asserting a global property (weak termination of the overall process as actually implemented). For example, any combination of arbitrary private views N ′′cust , N ′′supp , and N ′′ship according with the corresponding public view (i.e., N ′′cust accords with N cust , N ′′supp accords with N supp , and N ′′ship accords with N ship ) yields a weakly terminating realization of the contract shown in Fig. 1(a).

4

Checking Accordance

In this section, we demonstrate that the property of accordance can be verified automatically, at present time subject to restrictions. Checking accordance relies on the concept of operating guidelines [19, 20]. The original purpose of an operating guideline of a service N is to characterize the set of all services M such that the composition of N and M behaves “correctly”. Thereby, “correctly” means weak termination in [19] or deadlock-freedom in [20]. The results in [19] are restricted to services with acyclic and finite behavior while there are only marginal restrictions for the approach in [20]. As we are interested in weak termination in this paper, we use the approach in [19] thus inheriting the restriction to acyclic finite state services. Such a service may have while loops in its operational description as long as every iteration produces states that are different from other iterations, for example, different counter values. In ongoing research, we work on an extension of the approach in [20] to weak termination, so the current restriction to acyclic finite state services may be only temporary. 9

An operating guideline OGN of an oWFN N is basically an annotated automaton; that is, a transition system where transitions are labeled with interface places of N representing send or receive actions to N , respectively. Each state of the transition system is annotated with a Boolean formula which has places p ∈ I ∪ O of N as propositions. Definition 11 (Annotated automaton). [Q, C, δ, q0 , Φ] is an annotated automaton iff Q is a nonempty set of states, C is a set of message channels, δ : Q × C 6→ Q is a (partial) transition relation such that every state q ∈ Q is reachable from q0 via transitive applications of δ, q0 ∈ Q is the initial state, and Φ is an annotation function, where, for all q ∈ Q, Φ(q) is a Boolean formula with propositions in C. The goal of an annotated automaton is to represent a set of automata. Concrete automata are created by removing nodes, arcs, and annotations. Function Φ provides a Boolean formula for each state indicating which combinations of outgoing arcs are allowed to be present in a concrete automaton. Note that each oWFN corresponds to an automaton. Hence, an annotated automaton can describe a set of oWFNs (e.g., Strat(N )). In order to simplify the presentation, we make the assumption that each transition of an oWFN is connected to at most one interface place. This assumption does, however, not restrict generality as every oWFN can be transformed into an equivalent one that obeys this restriction [20]. A service described in terms of an oWFN matches with OGN iff its behavior can be embedded into OGN such that the annotations touched by this embedding evaluate to true. Definition 12 (Matching). Let M be an oWFN that obeys the restriction stated above and let AΦ = [Q, C, δ, q0 , Φ] be an annotated automaton with C = IM ∪ OM . Let X be the set of all reachable markings of the Petri net obtained by removing all interface places of M . Then M matches with AΦ iff there is a mapping ρ from the set X to Q such that the following conditions hold: 1. ρ(m0M ) = q0 ; 2. If t is a transition of M not connected to any interface place, m, m′ ∈ X, t and m − → m′ , then ρ(m′ ) = ρ(m); t

3. If t is a transition of M , c ∈ IM , c ∈ • t, m, m′ ∈ X, and m + [c] − → m′ , then ′ (ρ(m), c) ∈ dom(δ) and ρ(m ) = δ(ρ(m), c); t

4. If t is a transition of M , c ∈ OM , c ∈ t• , m, m′ ∈ X and m − → m′ + [c], then ′ (ρ(m), c) ∈ dom(δ) and ρ(m ) = δ(ρ(m), c); 5. For all m ∈ X, at least one of the following properties holds: – A transition not connected to any interface place is enabled in m; – Φ(ρ(m)) evaluates to true for the following assignment β to propositions (i.e., channels): let β(c) = true iff there is a transition with c ∈ • t that is enabled in m + [c], or a transition with c ∈ t• that is enabled in m. 10

In the formal definition, ρ represents the informally described embedding. The assignment used for evaluating an annotation represents transitions that leave the considered marking in M . Definition 13 (Operating guideline). An annotated automaton is an operating guideline OGN of an oWFN N iff Strat(N ) is exactly the set of all oWFNs matching with OGN . If OGN is an operating guideline of an oWFN N , then for any oWFN M : M matches with OGN iff M ⊕ N weakly terminates. The operating guideline of the oWFN N cust of Fig. 1(a) consists of 25 states and 61 transitions and is too large to be depicted here. As an example, we consider the final part of the customer’s oWFN N cust (oWFN N 1 in Fig. 2(a)) and computed its OG (Fig. 2(b)). It consists of 4 states with the annotation depicted inside the states.

p4

p4 q0: ?payment ∨ !shipment

d payment

s0: !shipment

e shipment

!shipment

?payment

p5

p5 q1: !shipment

q2: ?payment

e shipment p6

?payment

!shipment

(a) N 1 .

s1: ?payment

d payment p6

q3: true

(b) OG of N 1 .

!shipment

?payment s2: true

(c) N 2 .

(d) OG of N 2 .

Fig. 2. Two oWFNs N 1 and N 2 and their operating guidelines. An annotation starting with “!” (“?”) refers to a sending (receiving) event. Any strategy for N 1 (N 2 ) matches with the operating guideline of N 1 (N 2 ). N 2 does not accord with N 1 , since it excludes the strategy that first expects the payment, followed by sending the shipment.

In [19], we presented an algorithm to compute, for each acyclic finite state oWFN N , an operating guideline OGN . The algorithm is implemented in our tool Fiona [21]. Since an operating guideline represents the set of strategies, it is natural to use OGN and OGN ′ for comparing Strat(N ) with Strat(N ′ ). Informally, N ′ accords with N iff OGN ′ can be embedded into OGN such that the annotations in OGN ′ imply the annotations of OGN . Theorem 2 (Accordance check with OGs). Let N and N ′ be two acyclic finite state oWFNs with OGN = [Q, C, δ, q0 , Φ] and OGN ′ = [Q′ , C, δ ′ , q0′ , Φ′ ]. Then, Strat(N ′ ) ⊆ Strat(N ) iff there is a mapping ξ : Q′ → Q such that 1. ξ(q0′ ) = q0 ; 2. if ξ(q ′ ) = q and δ ′ (q ′ , c) = q1′ , then there is a q1 such that δ(q, c) = q1 and ξ(q1′ ) = q1 ; and 3. for all q ′ ∈ Q′ , the formula Φ′ (q ′ ) ⇒ Φ(ξ(q ′ )) is a tautology. 11

For the proof of this theorem, we rely on a fact about operating guidelines as constructed in [19]. As we cannot repeat the whole approach of [19], we just state this fact without proof. Proposition 1 ([19]). For every service N with operating guideline OGN = [Q, C, δ, q0 , Φ] and all q ∈ Q, the formula Φ(q) 1. uses only propositions c where δ(q, c) is defined, and 2. is satisfied for the assignment assigning true to all propositions. Proof (of Thm. 2 (Sketch)). Implication. Let OGN ′ = [Q′ , C, δ ′ , q0′ , Φ′ ] and OGN = [Q, C, δ, q0 , Φ], and let Strat(N ′ ) ⊆ Strat(N ). We can construct an oWFN M whose behavior corresponds exactly to the transition system [Q′ , C, δ ′ , q0′ ]. This can be achieved by using Q′ ∪ C as set of places (with C being the interface of M ), and having, for each q1′ , c, and q2′ with δ ′ (q1′ , c) = q2′ a transition tq1′ ,c,q2′ that moves a token from q1′ to q2′ , and removes (produces, resp.) a token from (on) c if c is an output (input) place of N ′ . Let mq′ denote a marking of M where there is a token on place q ′ and no token elsewhere. Let mq0′ be the initial marking of M . By induction, it can be shown that, for all q ′ ∈ Q′ , mq′ is reached by Def. 12, with ρ′ (mq′ ) = q ′ . Since there is a transition for each c where δ ′ (q ′ , c) is defined, we can derive from Prop. 1 that all annotations evaluate to true when M is evaluated according to Def. 12. Consequently, M matches with OGN ′ and hence M is a strategy for N ′ and thus, by assumption, a strategy for N . Being a strategy for N , there is a mapping ρ from the markings of M to Q. Define ξ : Q′ → Q such that ξ(q ′ ) = q iff ρ(mq′ ) = q. By the structural similarity of Def. 12 and Thm. 2, it is easy to see that ξ satisfies the first two items required in Thm. 2. For verifying the third item, let q ′ ∈ Q′ and let β be an arbitrary assignment to propositions occurring in Φ′ (q ′ ) where Φ′ (q ′ ) is true. Remove from M all those transitions tq1′ ,c,q2′ where β(c) is false. By Def. 12, the resulting oWFN is still a strategy for N ′ and thus a strategy for N , too. Using Def. 12 again, we can see that Φ(ξ(q ′ )) is true as well. Thus, Φ′ (q ′ ) ⇒ Φ(ξ(q ′ )) is a tautology. Replication. Consider a mapping ξ as required and let M be a strategy for N ′ . We show that M is a strategy for N , too. By Def. 12, there is a mapping ρ′ from the markings of M to Q′ . Let ρ(m) = ξ(ρ′ (m)). For all markings reached by Def. 12, Φ′ (ρ′ (m)) evaluates to true for the assignment described in Def. 12, and by the third item of Thm. 2, so does Φ(ρ(m)). Consequently, M is a strategy for N .  With the help of Thm. 2, we can easily verify accordance of N ′cust with N cust of Fig. 1. In fact, the two corresponding operating guidelines are equal. Therefore, we conclude that Strat(N ′cust ) = Strat(N cust ). As a counterexample, we consider the oWFN N 1 shown in Fig. 2(a). N 1 represents the final part of the customer of Fig. 1(a). The oWFN N 2 of Fig. 2(c) reverses the order of the transitions d and e. If N 1 is the public view, then N 2 is a wrong implementation since it excludes 12

strategies. This is reflected by the corresponding operating guidelines, depicted in Fig. 2(b) and Fig. 2(d). Applying the mapping ξ, the state q1 of the OG of Fig. 2(b) has no counterpart in the OG of Fig. 2(d). This violates the second item of Thm. 2. For an implementation of the criteria in Thm. 2, finding the mapping ξ is the crucial task. As both OGN and OGN ′ are deterministic (i.e., in each state q there is at most one c-successor), this task actually amounts to a depth-first search through OGN ′ which is mimicked in OGN . The time and space required for finding ξ is thus linear in the number of states and edges of OGN ′ . This size, in turn, is equal to the number of states and edges of a particular strategy for N [19]. The accordance check based on Thm. 2 has been implemented in our tool Fiona [21].

5

Derive a Private View From a Public View

In the previous section, we presented a method to check accordance. Using operating guidelines we can check whether some oWFN representing the private view accords with the oWFN representing the public view. However, instead of checking accordance after creating the private view, it is also possible to guarantee accordance by using transformation rules. This idea is inspired by the earlier work on projection inheritance [9, 10, 16, 17]. Accordance is a weaker notion than projection inheritance. This was illustrated already using Fig. 1 where N ′cust accords with N cust but N ′cust and N cust are not related by projection inheritance. In the following we explain the general approach of using transformation rules (cf. Sect. 5.1). Then, we give a retrospection of projection inheritance in Sect. 5.2. In Sect. 5.3, we prove that projection inheritance implies accordance, and therefore, all inheritance-preserving transformation rules presented in [17] also preserve accordance. We will show these rules by reformulating them to fit into the setting of this paper. Afterwards, in Sect. 5.4, we will formulate dedicated transformation rules that take the sending and receiving of messages into account while still guaranteeing accordance. Finally, the applicability of the presented transformation rules is demonstrated by help of a case study (cf. Sect. 5.5). 5.1

The Transformation Approach

According to Thm. 1 in Sect. 3, every party of a contract can implement its public view and finally it has to check accordance between the private and the public view. In the following, we present a different approach: The public view is incrementally transformed into a private view. To this end, fragments of the public view are incrementally replaced by other fragments until the private view is designed. In this approach, a fragment N ′ of a party is called a pattern and will be replaced by another fragment N ′′ . We will prove that if N ′′ accords with N ′ , then replacing N ′ by N ′′ preserves weak termination of the overall contract. First of all, we formally define an oWFN pattern N ′ of an oWFN N . Therefore, the set of interface places of N ′ is divided into two sets: one set contains all 13

places that are interface places of N for communicating with other parties (i.e., subsets of I and O) and the other set, R ∪ S, contains all places that serve as an interface to the rest of N . R is the set of input places from the other parts of N , and S is the set of output places. We first define a subnet of an oWFN and then an oWFN pattern which is a restricted subnet. Definition 14 (Subnet). Let N = (P, T, F, I, O, m0 , Ω) be an oWFN. An oWFN N ′ = (P ′ , T ′ , F ′ , I ′ , O′ , m′0 , Ω ′ ) is a subnet of N iff – – – – – – –

P′ ⊆ P, T′ ⊆ T, F ′ = F ∩ ((P ′ × T ′ ) ∪ (T ′ × P ′ )), I ′ = I|P ′ , O′ = O|P ′ , m′0 = m0|P ′ , and Ω ′ = {m′f | m′f = mf|P ′ , mf ∈ Ω}.

Definition 15 (oWFN pattern). Let N = (P, T, F, I, O, m0 , Ω) be an oWFN and N ′ = (P ′ , T ′ , F ′ , I ′ , O′ , m′0 , Ω ′ ) a subnet of N . N ′ is an oWFN pattern of N iff – – – – – – –

m′0 = [ ], I ′ = I|P ′ ∪ R with R ⊆ P ′ \ I, O′ = O|P ′ ∪ S with S ⊆ P ′ \ O, Ω ′ = {[ ]}, for all p ∈ P ′ \ R, there is no t ∈ T \ T ′ , (t, p) ∈ F , for all p ∈ P ′ \ S, there is no t ∈ T \ T ′ , (p, t) ∈ F , and for all t ∈ T ′ , there is no p ∈ P \ P ′ , (p, t) ∈ F or (t, p) ∈ F .

The next theorem states that if the public view of a party participating in a contract has an oWFN pattern N ′ and there is another oWFN pattern N ′′ with N ′′ accords with N ′ , then we can replace N ′ by N ′′ and the modified contract is still weakly terminating. Such transformations can be applied incrementally and thus we can derive a private view from a public view just by transforming the public view and the resulting private view is correct by construction. Theorem 3 (Justification of transformation rules). Let [N, r] be a contract between parties {A1 , . . . , Ak } where N = NA1 ⊕· · ·⊕NAk is weakly terminating. Let Np′ be an oWFN pattern of NAi , 1 ≤ i ≤ k, such that there exists an oWFN Nrest with NAi = Np′ ⊕ Nrest . Let further Np′′ be an arbitrary oWFN. Then, if Np′′ accords with Np′ , the modified contract N ′ = NA1 ⊕ · · · ⊕ NAi−1 ⊕ (Np′′ ⊕ Nrest ) ⊕ NAi+1 ⊕ · · · ⊕ NAk is weakly terminating. Proof. The theorem is an application of Thm. 1. In contrast to Thm. 1, we do not replace a party’s public view by a private view but an oWFN pattern of a party’s public view by another oWFN pattern. Since Np′′ accords with Np′ and the rest of the contract; that is, NA1 ⊕ · · · ⊕ NAi−1 ⊕ Nrest ⊕ NAi+1 ⊕ · · · ⊕ NAk remains unchanged, the modified contract N ′ is by Thm. 1 weakly terminating.  14

During the next sections we will present several transformation rules whose correctness is justified by Thm. 3. 5.2

Projection Inheritance

Inheritance is one of the key concepts of object-orientation. In object-oriented design, inheritance is typically restricted to the static aspects (e.g., data and methods) of an object class. In many cases, however, the dynamic behavior of services is of prime importance. Therefore, in [17], four inheritance notions focusing on the dynamics have been defined. One of these notions is projection inheritance. The four notions of inheritance allow for comparing two process models: the subclass and the superclass. The subclass process is indeed a subclass if it inherits particular dynamic properties of its superclass. Although these four inheritance notions are notation-independent, in [17], they have been defined in terms of Petri nets and process algebra. The four inheritance relations use branching bisimulation [22] (to compare processes) in combination with the notions of encapsulation and abstraction. Encapsulation corresponds to blocking tasks, whereas abstraction corresponds to hiding tasks. In this paper, we only focus on projection inheritance. Projection inheritance is based on branching bisimulation and abstraction. The assumption is that the subclass adds methods to the superclass such that after hiding the additional methods both are equivalent. The basic idea of projection inheritance can be characterized as follows: “If it is not possible to distinguish the behaviors of x and y when arbitrary methods of x are executed, but when only the effects of methods that are also present in y are considered, then x is a subclass of y” [17]. Projection inheritance was defined for workflow nets, but in this definition projection inheritance refers to “methods” rather than the “sending and receiving of messages”. However, it is easy to reformulate projection inheritance in terms of the setting of this paper by the following mapping: A method present in both the superclass and subclass corresponds to a transition that is connected to an interface place and these are the only transitions that are connected to an interface place. That way, we reformulate projection inheritance for open workflow nets. As branching bisimulation compares the transition systems of two oWFNs, we need to consider closed systems; that is, oWFNs with empty interface. For this purpose, we define the notion of the inner of an oWFN N . To compare transitions of two oWFNs, transitions connected to interface places need to have distinguishable labels. Obviously, the labeling function has to guarantee that two transitions connected to the same set of interface places have the same label. In contrast, transitions not connected to an interface place (i.e., internal transitions) are labeled with τ . This leads to the following definition of a labeled oWFN. Definition 16 (Labeled oWFN). Let N = (P, T, F, I, O, m0 , Ω) be an oWFN, t ∈ T , p ∈ (I ∪ O) an interface place of N , and Intt = {p | p ∈ • t ∪ t• } be the set of interface places connected to t. Then, l : T → P(I ∪ O) is a function which labels every t with its interface places Intt . If Intt 6= ∅, then 15

l(t) = {g ◦ p | g ∈ {!, ?}, p ∈ Intt , g = ? if p ∈ I, g = ! if p ∈ O} (where ◦ is the concatenation operator), else l(t) = τ . Then, N ′ = (P, T, F, I, O, m0 , Ω, l) is a labeled oWFN. To distinguish the labels of transitions connected to an input place a and an output place a, we extend the label with “?” and “!”, respectively. For example, the labeled oWFN of the modified customer in Fig. 1(b) had labels l(a) = {!order}, l(c) = {?invoice}, l(x) = l(y) = τ , etc. Obviously, the definitions we presented for oWFNs can be easily extended to labeled oWFNs. We only define the composition of labeled oWFNs. Definition 17 (Composition of labeled oWFNs). Let N1 , . . . , Nk be a composable set of labeled oWFNs. The composition N = N1 ⊕ · · · ⊕ Nk is defined as for oWFNs (see Def. 6) and the labeling function l is l : T → P(I ∪ O). Next, we define the inner of a labeled oWFN N that results from eliminating all interface places from N . Definition 18 (innerN ). Let N = (P, T, F, I, O, m0 , Ω, l) be a labeled oWFN and let J = P \ (I ∪ O) the set of internal places of N . Then, innerN = (J, T, F ∩ ((J × T ) ∪ (T × J)), m0 , Ω, l). As an example, consider the inner of the customer N cust (see Fig. 1(a)) and the modified customer N ′cust (see Fig. 1(b)) depicted in Fig. 3. To compare the behavior of two labeled oWFNs N and N ′ with respect to branching bisimulation, we have to check whether innerN and innerN ′ are branching bisimular. The following definition formalizes the notion of branching bisimulation. This definition takes into account that, for each final marking of innerN , there exists a final marking in innerN ′ and both markings are related by branching bisimulation. Definition 19 (Branching bisimulation). Let N , N ′ be two labeled oWFNs and N1 = innerN , N2 = innerN ′ the inner of these two nets. Let further m0N1 , m0N2 be the initial marking of N1 and N2 , respectively. N1 and N2 are branching bisimular, denoted N1 ≈bb N2 , iff there exists a symmetric relation R such that m0N1 R m0N2 and for all mN1 , mN2 holds: α If mN1 R mN2 and mN1 − → m′N1 , then either – α = τ and m′N1 R mN2 or ǫ α → m′N2 − – there are m′N2 , m′′N2 such that mN2 − → m′′N2 , mN1 R m′N2 , and ′ ′′ mN1 R mN2 (where ǫ is a (possible empty) sequence of τ transitions). Furthermore, for each final marking mfN1 ∈ ΩN1 holds: If mfN1 R mgN2 , then either mgN2 ∈ ΩN2 or every transition sequence starting from mgN2 contains a state m′gN2 ∈ ΩN2 with mfN1 R m′gN2 . The nets shown in Fig. 3 are not branching bisimular. Intuitively, the inner of N ′cust has more behavior than the inner of N cust . As an example, for marking [p21 , p24 ] in Fig. 3(b) there is no corresponding marking in Fig. 3(a). 16

p1

p1 W

p21 a

p22

{!order} x {!order}

p2

p23 b

W

c

{?invoice}

{?invoice}

p4 {!payment}

d

p5 e

{!delivery address}

p3

p4 d

b p24

y

{!delivery address}

p3

c

a

{!payment}

p5 {?shipment}

e

p6

{?shipment}

p6

(b) The inner of N ′cust .

(a) The inner of N cust .

Fig. 3. The inner of the customer and the modified customer (cf. Fig. 1).

To decide whether two labeled oWFNs are related by projection inheritance, it is sufficient to check if the inner of these oWFNs are branching bisimular. In contrast to [17], we do not need to define an abstraction operator. In our mapping, the comparison of the two oWFNs is restricted to the transitions that are connected to an interface place. We abstract from all other transitions by labeling them with τ . The labeling, however, is fixed in the definition of a labeled oWFN and thus no additional definition of an abstraction is necessary. Consequently, we can define projection inheritance of two oWFNs as follows: Definition 20 (Projection inheritance). Let N , N ′ be two oWFNs, let Nl , Nl′ their respective labeled oWFNs, and let N1 = innerNl , N2 = innerNl′ . N and N ′ are related by projection inheritance, denoted N ≈pj N ′ , iff N1 ≈bb N2 . Classical projection inheritance, as defined in [17], specifies a subclass-superclass relation between two WFNs. This relation, however, restricts the approach to either removing transitions (i.e., the resulting WFN is a superclass) or adding transitions (i.e., the resulting WFN is a subclass). In Def. 20, we have defined projection inheritance for oWFNs in a more generalized way, allowing for adding and removing transitions. So the resulting oWFN might be neither a subclass nor a superclass. Consequently, we do not have a subclass-superclass relation. However, in our setting this generalization is necessary, because it is important to know whether adding or removing internal transitions to/from an oWFN changes the interactional behavior of the resulting oWFN. 17

Consider again the two nets depicted in Fig. 3. Since they are not branching bisimular, we can conclude that N cust and N ′cust in Fig. 1 are not related by projection inheritance. From the definition of projection inheritance we can conclude the following proposition. Proposition 2. Let N , N ′ be two oWFNs. If N and N ′ are related by projection inheritance, the following necessary but not sufficient conditions hold: (1) N and N ′ have the same set of interface places (I = I ′ and O = O′ ). (2) If a transition of N (N ′ ) is connected to a set of interface places, then a transition connected to the same set of interface places is present in N ′ (N ). 5.3

Inheritance-Preserving Transformation Rules

Based on the notion of projection inheritance, three inheritance-preserving transformation rules have been defined in [17]. These rules correspond to design patterns for extending a superclass to incorporate new behavior: (1) adding loops, (2) inserting methods in-between existing methods, and (3) putting new methods in parallel with existing methods. In [9, 10, 16, 17], these rules are defined and/or applied. Instead of redefining these rules formally, they are exemplified in Fig. 4. Figure 4(a) represents an oWFN pattern M 0 of an oWFN M . M 0 contains transitions a, b, and c. By Def. 15, there are no other connections of a, b, c, p1 , and p2 than those shown in Fig. 4(a). Ai = (• a) ∩ IM is the set of input places of a, Ao = (a• ) ∩ OM is the set of output places of a, etc. Ai , Ao , Bi , Bo , Ci , Co do not need to be disjoint. R = (• a) \ IM and S = (c• ) \ OM are (by Def. 15) the places connecting M 0 to the rest of M . Similar remarks hold for the other three oWFN patterns M 1 , M 2 , and M 3 . For example, M 1 is obtained by adding transition d to M 0 .

p1

d Bi

b

a

Ao

Bo

p1 b

Co

S

(a) M 0 .

c

Co

S

(b) M 1 : Adding a loop to M 0 .

Ai a

Ao

p1

p3

p1

d

b

Bi d

b

p4

p2

Bo

c

Ao

Bi Bo

p2 Ci

Ci

Ci c

p3 Bi

p2

p2

a

Ao

Bo

R Ai

Ai

Ai a

R

R

R

Co

S

(c) M 2 : Putting method d in parallel to b.

Ci c

Co

S

(d) M 3 : Inserting method d in-between a and b.

Fig. 4. Accordance-preserving transformation rules based on projection inheritance.

18

M 0 in Fig. 4 may be replaced by any of the three other oWFNs M 1 , M 2 , and M 3 without changing the set of strategies; that is, M 1 accords with M 0 , M 2 accords with M 0 , M 3 accords with M 0 , and vice versa. More precisely, any of the four nets can be replaced by one of the other nets without violating accordance. If one generates the labeled oWFNs and ignores the interface places (e.g., constructs the inner of the respective oWFNs), then M 0 , M 1 , M 2 , and M 3 are branching bisimular. Thus, M 0 , M 1 , M 2 , and M 3 are related by projection inheritance. However, as an example, M 1 and M 2 are only in our setting related by projection inheritance but not in the setting of [17]. The reason is, M 1 is neither a subclass nor a superclass of M 2 and vice versa. It is easy to see that projection inheritance implies accordance. Theorem 4 (Projection inheritance implies accordance). Let N and N ′ be two oWFNs. If N and N ′ are related by projection inheritance, then N ′ accords with N and vice versa. The intuition behind this theorem is that the interface places of an oWFN N only restrict the behavior of N . Hence, the actual behavior after composing N with another net is included in innerN . Consider the labeled oWFNs Nl and Nl′ of N and N ′ , respectively. Since only visible transitions (i.e., transitions that are not labeled with τ ) are connected to interface places, and the firing of any visible transition in Nl can be followed by the same transition in Nl′ and vice versa, both Nl and Nl′ are identical when it comes to the production or consumption of tokens in interface places. Moreover, since the final markings are related, the termination of Nl can be followed by Nl′ and vice versa. For the proof of Thm. 4, we need the following two lemmata. Lemma 1. Let N , N ′ , M be labeled oWFNs. Let further N and M as well as N ′ and M be composable. Then, innerN ≈bb innerN ′ implies innerN ⊕M ≈bb innerN ′ ⊕M . Proof. We prove this lemma by contradiction. Assume innerN ⊕M and innerN ′ ⊕M are not branching bisimular. We will show, this implies that innerN and innerN ′ are not branching bisimular and thus contradicting the assumption. Let N ⊕M = (P, T, F, I, O, m0 , Ω, l) and N ′ ⊕M = (P ′ , T ′ , F ′ , I ′ , O′ , m′0 , Ω ′ , l′ ). Let further RGN ⊕M (m0 ) and RGN ′ ⊕M (m′0 ) be the reachable states of innerN ⊕M and innerN ′ ⊕M , respectively. From innerN ≈bb innerN ′ it follows IN = IN ′ and ON = ON ′ . Thus, I = I ′ and O = O′ , meaning, both compositions have the same interface. Consequently, innerN ⊕M and innerN ′ ⊕M have the same visible transitions. To check whether the transition systems of innerN ⊕M and innerN ′ ⊕M are branching bisimular, one has to relate their respective initial states m0 and m′0 and then apply Def. 19. Assume that innerN ⊕M and innerN ′ ⊕M are not branching bisimular. Thus, applying Def. 19, there exist markings m ∈ RGN ⊕M (m0 ), m′ ∈ RGN ′ ⊕M (m′0 ) violating branching bisimulation. Let m and m′ be the first markings violating branching bisimulation. The transitions that cause this violation must be 19

transitions of N and N ′ rather then transitions of M , because M can only behave differently in the two compositions if it is controlled differently by N and N ′ , respectively. This is, however, only possible if N and N ′ are not branching bisimular and thus contradicts our assumption. Therefore, the assumption that innerN ⊕M and innerN ′ ⊕M are not branching bisimular is wrong and the lemma holds.  Lemma 2. Let N , N ′ be two labeled oWFNs with empty interface; that is, innerN = N and innerN ′ = N ′ . If N ≈bb N ′ , then N weakly terminates iff N ′ weakly terminates. Proof. Let N ≈bb N ′ . Implication: Let N be weakly terminating. Thus, (by Def. 4) from every marking, a final marking can be reached. Let m′ ∈ RGN ′ (m0N ′ ) be an arbitrary marking in N ′ . Since N ≈bb N ′ , there exists a marking m ∈ RGN (m0N ) with m R m′ . From N being weakly terminating we derive that there exists a transiσ tion sequence σ with m − → mf , mf ∈ RGN (m0N ) and mf ∈ ΩN . Since N ≈bb N ′ we can derive that there is a marking m′f ∈ RGN ′ (m0N ′ ) with mf R m′f and a σ′

transition sequence σ ′ such that m′ −→ m′f . By Def. 19, m′f ∈ ΩN ′ . Thus, N ′ is also weakly terminating. Replication: Same argumentation as in the implication.  With the help of the two lemmata, we can prove Thm. 4. Proof (of Thm. 4). Let Nl and Nl′ be the respective labeled oWFNs of N and N ′ . Since N and N ′ are related by projection inheritance, innerNl ≈bb innerNl′ holds. N ′ accords with N and vice versa if and only if Strat(N ) = Strat(N ′ ). To show that N and N ′ have the same set of strategies, it is sufficient to prove Strat(N ) ⊆ Strat(N ′ ) and Strat(N ′ ) ⊆ Strat(N ). For the case Strat(N ) ⊆ Strat(N ′ ), let NS ∈ Strat(N ) be an arbitrary strategy. It is sufficient to show that NS ∈ Strat(N ′ ). Let NSl be the labeled oWFN of NS . From innerNl ≈bb innerNl′ and by Lemma 1 we derive innerNl ⊕NSl ≈bb innerNl′ ⊕NSl . Since S is a strategy for N , it follows N ⊕ NS and also Nl ⊕ NSl is weakly terminating. By Lemma 2 we can conclude that Nl′ ⊕ NSl is weakly terminating, too. Therefore N ′ ⊕ NS is weakly terminating and hence, S is also a strategy for N ′ . The proof for the case Strat(N ′ ) ⊆ Strat(N ) follows the same argumentation. Hence, Strat(N ) = Strat(N ′ ) and the theorem holds.  Theorem 4 justifies that adding and removing transitions that are not connected to an interface place with respect to branching bisimulation preserves accordance. In [9, 10, 16, 17], several inheritance-preserving transformation rules are provided. We would like to emphasize that the simplified examples shown in Fig. 4 do not do justice to these rules. The actual rules are much more generic. However, a detailed discussion of these is outside the scope of this paper. 20

5.4

Accordance-Preserving Transformation Rules

Projection inheritance implies accordance and, therefore, the inheritance-preserving transformation rules can be used to incrementally build a private view that accords with the public view of a service. However, inheritance-preserving transformation rules are limited in the sense that they do not allow to change the order of messages. In the following, we present seven accordance-preserving transformation rules. Five of these rules preserve accordance in both directions and two rules preserve accordance only in one direction. Given an oWFN N , each transformation rule specifies a pattern N ′ of N (see Def. 15) which can be replaced by another pattern N ′′ , yielding a new oWFN Nnew . Theorem 3 justifies that this replacement does not violate the overall contract. The first oWFN pattern, N 3 , we consider sequentially sends n messages a1 , . . . , an and is defined as follows. Definition 21 (N3 ). Let n > 0. Then, N3 = (P, T, F, I, O, m0 , Ω) is an oWFN pattern with – P = I ∪ O ∪ {p1 , . . . , pn−1 }, – T = {t1 , . . . , tn }, – F = {(r, t1 ) | r ∈ R} ∪ {(tn , s) | s ∈ S} ∪ {(ti , pi ), (pi , ti+1 ) | i = 1, . . . , n − 1} ∪ {(ti , ai ) | i = 1, . . . , n}, – I = R, – O = {a1 , . . . , an } ∪ S. N 3 is depicted on the left hand side of Fig. 5. The next oWFN pattern, N 4 , results from merging transitions t1 , . . . , tn of N 3 to a single transition t. Thus, N 4 sends all messages a1 , . . . , an simultaneously. Definition 22 (N4 ). Let n > 0. Then, N4 = (P, T, F, I, O, m0 , Ω) is an oWFN pattern with – P = I ∪ O, – T = {t}, – F = {(r, t) | r ∈ R} ∪ {(t, s) | s ∈ S} ∪ {(t, ai ) | i = 1, . . . , n}, – I = R, – O = {a1 , . . . , an } ∪ S. N 4 is depicted on the right hand side of Fig. 5. The first transformation rule is depicted in Fig. 5 and specifies that a sequence of sending events can be merged and the events can be sent simultaneously. Thus, N 3 can be transformed into N 4 and vice versa. Rule 1 preserves accordance in both direction. Consequently, Strat(N 3 ) = Strat(N 4 ). 21

R t1

a1

p1

R 

=



a1

t

 an

S

pn-1

N4 an

tn S

N3 Fig. 5. Rule 1: A sequence of sending events (N 3 ) can be sent simultaneously (N 4 ). Strat(N 3 ) = Strat(N 4 ).

Lemma 3 (Rule 1: Merging of sending events). Let N3 and N4 be as defined. N3 accords with N4 and N4 accords with N3 . Proof (Sketch). It is sufficient to prove Strat(N3 ) ⊆ Strat(N4 ) and Strat(N3 ) ⊇ Strat(N4 ). Strat(N3 ) ⊆ Strat(N4 ): Let U = (PU , TU , FU , IU , OU , m0U , ΩU ) ∈ Strat(N3 ) and N3 is not dead in N3 ⊕ U ; otherwise, we could trivially replace N3 by N4 without violating accordance. We have to show: U ∈ Strat(N4 ). Since N3 is not dead in N3 ⊕ U , U has to mark places R in N3 in order to enable t1 . The final marking of N3 is the empty marking; thus, all transitions t1 , . . . , tn in N3 have to be fired. Consequently, U has to consume all tokens from the output places of N3 . Consider now N4 . N4 has the same interface and the same final marking as N3 and t is enabled if and only if t1 is enabled (because • t = • t1 ). Therefore, U enables t in N4 ⊕ U . Since t has the same effect as t1 , . . . , tn and there is no interaction between U and N4 (and U and N3 ) than sending, U can consume all tokens from the output places of N4 , too. The reason is, any transition tU in U with p ∈ • tU and p ∈ IU that can be enabled in N3 ⊕ U will also be enabled in N4 ⊕ U . Thus, U ∈ Strat(N4 ). Strat(N3 ) ⊇ Strat(N4 ): Follows the same argumentation than above. Any transition tU that is enabled in N4 ⊕U will be eventually enabled in N3 . Therefore, U ∈ Strat(N3 ) and hence the theorem holds.  As Rule 1 preserves accordance in both directions, we can derive that a sequence of sending events can also be reordered or it can be sent concurrently. Reordering of sending events and executing sending events concurrently also preserve accordance in both directions. It is worthwhile mentioning that N 3 and N 4 reflect exactly the Murata reduction rule Fusion of Series Transitions (see [23]). Next, we redefine N 3 and N 4 ; that is, sending events are changed to receiving events. The corresponding oWFN pattern, N 5 and N 6 , are formalized as follows. 22

Definition 23 (N5 ). Let n > 0. Then, N5 = (P, T, F, I, O, m0 , Ω) is an oWFN pattern with – P = I ∪ O ∪ {p1 , . . . , pn−1 }, – T = {t1 , . . . , tn }, – F = {(r, t1 ) | r ∈ R} ∪ {(tn , s) | s ∈ S} ∪ {(ti , pi ), (pi , ti+1 ) | i = 1, . . . , n − 1} ∪ {(ai , ti ) | i = 1, . . . , n}, – I = {a1 , . . . , an } ∪ R, – O = S. Definition 24 (N6 ). Let n > 0. Then, N6 = (P, T, F, I, O, m0 , Ω) is an oWFN pattern with – P = I ∪ O, – T = {t}, – F = {(r, t) | r ∈ R} ∪ {(t, s) | s ∈ S} ∪ {(ai , t) | i = 1, . . . , n}, – I = {a1 , . . . , an } ∪ R, – O = S. N 5 and N 6 are depicted on the left and right hand side of Fig. 6, respectively. R t1

a1

p1

R 

=



a1

t

 an

S

pn-1

N6

tn

an

S

N5 Fig. 6. Rule 2: A sequence of receiving events (N 5 ) can be merged (N 6 ). Strat(N 5 ) = Strat(N 6 )

Like a sequence of sending events (see Lemma 3), a sequence of receiving events can be executed simultaneously, too. Thus, N 5 can be transformed into N 6 and vice versa, and this transformation preserves accordance in both directions. Consequently, Strat(N 5 ) = Strat(N 6 ). This is specified by Rule 2 in Fig. 6. 23

Lemma 4 (Rule 2: Merging receiving events). Let N5 and N6 be as defined. N5 accords with N6 and N6 accords with N5 . Proof (Sketch). It is sufficient to prove Strat(N5 ) ⊆ Strat(N6 ) and Strat(N5 ) ⊇ Strat(N6 ). Strat(N5 ) ⊆ Strat(N6 ): Let U = (PU , TU , FU , IU , OU , m0U , ΩU ) ∈ Strat(N5 ) and N5 is not dead in N5 ⊕ U ; otherwise, we could trivially replace N5 by N6 without violating accordance. We have to show: U ∈ Strat(N6 ). Since N5 is not dead in N5 ⊕ U and the final marking of N5 is the empty marking, all transitions t1 , . . . , tn in N5 have to be fired. Thus, U has to mark all input places in N5 and consume all tokens that are produced by N5 on the places S. Consider now N6 . N6 has the same interface and the same final marking as N5 and t is enabled if all input places of N6 are marked. Since U receives no response from N5 until all input places of N5 are marked (i.e., until tn is enabled), U will also enable t in N6 and then consume tokens on S which are produced by N6 . Thus, U ∈ Strat(N6 ). Strat(N5 ) ⊇ Strat(N6 ): Follows the same argumentation than above. Therefore, U ∈ Strat(N5 ) and hence the theorem holds.  From Lemma 4 we can derive (as for a sequence of sending events) that a sequence of receiving events can be reordered or the events can be executed concurrently while preserving accordance in both directions. For the third transformation rule, we consider an oWFN pattern N 7 that first receives some events in sequence and then sends some events in sequence. N 7 is defined as follows. Definition 25 (N7 ). Let n > 0 and 0 ≤ j ≤ n. Then, N7 = (P, T, F, I, O, m0 , Ω) is an oWFN pattern with – P = I ∪ O ∪ {p1 , . . . , pn−1 }, – T = {t1 , . . . , tn }, – F = {(r, t1 ) | r ∈ R} ∪ {(tn , s) | s ∈ S} ∪ {(ti , pi ), (pi , ti+1 ) | i = 1, . . . , n − 1} ∪ {(ai , ti ) | i = 1, . . . , j} ∪ {(ti , ai ) | i = j + 1, . . . , n}, – I = {a1 , . . . , ak−1 } ∪ R, – O = {ak , . . . , an } ∪ S. n is the number of all messages being sent and received by N7 and j defines the number of messages being received. N 7 is depicted on the left hand side of Fig. 7. Next, we define N 8 that results from merging all transitions t1 , . . . , tn in N 7 to a single transition t. Thus, all sending and receiving events are executed simultaneously in N 8 . Definition 26 (N8 ). Let n > 0 and 0 ≤ j ≤ n. Then, N8 = (P, T, F, I, O, m0 , Ω) is an oWFN pattern with 24

– P = I ∪ O, – T = {t}, – F = {(r, t) | r ∈ R} ∪ {(t, s) | s ∈ S} ∪ {(ai , t) | i = 1, . . . , j} ∪ {(t, ai ) | i = j + 1, . . . , n}, – I = {a1 , . . . , ak−1 } ∪ R, – O = {ak , . . . , an } ∪ S. n is the number of all messages being sent and received by N8 and j defines the number of messages being received. N 8 is depicted on the right hand side of Fig. 7. R t1

a1 

 a1

tk-1

ak-1

=

pk-1 tk

ak

R



t



S



ak-1 ak an

 tn



N8 an

S

N7 Fig. 7. Rule 3: A sequence of receiving events followed by a sequence of sending events (N 7 ) can be executed simultaneously (N 8 ). Strat(N 7 ) = Strat(N 8 ).

The third accordance-preserving transformation rule, Rule 3, specifies that N 7 can be transformed into N 8 and vice versa without violating accordance; that is, Strat(N 7 ) = Strat(N 8 ). Rule 3 is shown in Fig. 7 and its correctness is proven by the following lemma. Lemma 5 (Rule 3: Merging receiving and sending events). Let N7 and N8 be as defined. N7 accords with N8 and N8 accords with N7 . Proof (Sketch). Follows the same argumentation as Lemma 3 and Lemma 4.



It is worthwhile mentioning that Rule 1 and Rule 2 are special cases of Rule 3 with the set of input and output places being empty, respectively. More precisely, 25

if in N 7 and N 8 the parameter j is set to 0 (n), the set of input (output) places is empty. From Lemmata 3–5 we can derive that every oWFN pattern that has a transition connected to more than one interface place can be transformed into an equivalent oWFN pattern which has only transitions connected to a single interface place. In the following, without loss of generality, we therefore restrict ourselves to patterns where each transition is connected to at most one interface place. So far, we excluded the possibility that a sending event is followed by a receiving event. For the next transformation rule, we define oWFN patterns N 9 and N 10 . N 9 first sends a message a and then receives a message b. In N 10 , in contrast, sending a and receiving b is executed concurrently. Definition 27 (N9 ). Let N9 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with – P = I ∪ O ∪ {p}, – T = {ta , tb }, – F = {(r, ta ) | r ∈ R} ∪ {(tb , s) | s ∈ S} ∪ {(ta , a), (ta , p), (p, tb ), (b, tb )} – I = {b} ∪ R, – O = {a} ∪ S. Definition 28 (N10 ). Let N10 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with – P = I ∪ O ∪ {p1 , p2 , p3 , p4 }, – T = {ta , tb , t1 , t2 }, – F = {(r, t1 ) | r ∈ R} ∪ {(t2 , s) | s ∈ S} ∪ {(t1 , p1 ), (t1 , p2 ), (p1 , ta ), (p2 , tb ), (ta , a), (b, tb ), (ta , p3 ), (tb , p4 ), (p3 , t2 ), (p4 , t2 )}, – I = {b} ∪ R, – O = {a} ∪ S. N 9 and N 10 are depicted on the left and right hand side of Fig. 8, respectively. Rule 4 presented in Fig. 8 specifies that sending messages followed by receiving messages (transition ta and tb in N 9 , respectively) can also be executed concurrently (N 10 ) and vice versa. Rule 4 preserves accordance in both directions and hence Strat(N 9 ) = Strat(N 10 ). Lemma 6 (Rule 4: Send and receive in parallel). Let N9 and N10 be as defined. N9 accords with N10 and N10 accords with N9 . Proof (Sketch). It is sufficient to prove Strat(N9 ) ⊆ Strat(N10 ) and Strat(N9 ) ⊇ Strat(N10 ). Strat(N9 ) ⊆ Strat(N10 ): Let U ∈ Strat(N9 ) and N9 is not dead in N9 ⊕ U ; otherwise, we could trivially replace N9 by N10 without violating accordance. 26

R t1

R a

ta

=

p b

tb

p1

p2

a

ta

tb

b

p3

p4

S

t2

N9

S

N10 Fig. 8. Rule 4: Send and then receive (N9 ) can be executed concurrently (N10 ). Strat(N9 ) = Strat(N10 ).

We have to show: U ∈ Strat(N10 ). There is only one run in N9 possible (first ta then tb ) and this is a run of N10 , too. Thus, if U ∈ Strat(N9 ), then also U ∈ Strat(N10 ). Strat(N9 ) ⊇ Strat(N10 ): Let U ∈ Strat(N10 ) and N10 is not dead in N10 ⊕U ; otherwise, we could trivially replace N10 by N9 without violating accordance. We have to show: U ∈ Strat(N9 ). Assume U ∈ / Strat(N9 ). We will show that such an U does not exists and thus we contradict the assumption. Obviously, U has to take advantage from the fact that ta and tb can be executed concurrently in N10 . In order that tb can fire before ta , U has to send b before it receives a. However, in this case U is a strategy for N9 . As there is no other possibility for U to behave differently, every strategy for N10 is also a strategy for N9 . Hence, Strat(N9 ) = Strat(N10 ) and the lemma holds.  Sending and receiving simultaneously can also be transformed into first sending and then receiving. This is formalized in the next transformation rule, Rule 5. With it, we formalize oWFN pattern N 11 which sends a and receives b simultaneously. N 11 results from merging transitions ta and tb of N 9 to a single transition tab . Definition 29 (N11 ). Let N11 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with – P = I ∪ O, – T = {tab }, – F = {(r, tab ) | r ∈ R} ∪ {(tab , s) | s ∈ S} ∪ {(tab , a), (b, tab )}, – I = {b} ∪ R, – O = {a} ∪ S. 27

R a

ta

R

x

p

b

S

b

tb

a tab

N11

S

N9 Fig. 9. Rule 5: Send and then receive (N 9 ) cannot be executed simultaneously (N 11 ). Strat(N 11 ) ⊆ Strat(N 9 ).

N 11 is depicted on the left hand side of Fig. 9. Rule 5 illustrated in Fig. 9 only preserves accordance in one direction. This is formalized by the following lemma. Lemma 7 (Rule 5: Sending and receiving simultaneously). Let N9 and N11 be as defined. N9 accords with N11 . Proof. It is sufficient to prove Strat(N11 ) ⊆ Strat(N9 ). Let U ∈ Strat(N11 ) and N11 is not dead in N11 ⊕ U ; otherwise, we could trivially replace N11 by N9 without violating accordance. We have to show: U ∈ Strat(N9 ). Since N11 is not dead in N11 ⊕ U and the final marking of N11 is the empty marking, U has to enable tab (i.e., mark places R and b) and after firing tab it has to consume all tokens from the output places of N11 (i.e., places a and S). N9 and N11 have the same interface and the same final marking. Consequently, if we substitute N11 by N9 , Q enables transitions ta and tb in N9 ⊕ U . Furthermore, U consumes all tokens from the output places of N9 . Hence, U ∈ Strat(N9 ).  Although N 9 accords with N 11 , N 11 does not accord with N 9 . The oWFN pattern depicted in Fig. 10(b) is a strategy for N 9 but it is no strategy for N 11 . Now, let us consider N 12 depicted on the right hand side of Fig. 10(a). N 12 results from changing the order of sending and receiving in N 9 . It is worthwhile mentioning that neither N 12 accords with N 9 nor N 9 accords with N 12 . The oWFN depicted in Fig. 10(b) is a strategy for N 9 but no strategy for N 12 . The oWFN depicted in Fig. 10(c), in contrast, is a strategy for N 12 but not for N 9 . From Strat(N 9 ) 6= Strat(N 12 ) and Lemma 6 we can derive Strat(N 10 ) 6= Strat(N 12 ). That means, transforming N 12 into N 10 or transforming N 10 into N 12 violates accordance. However, we can merge transitions ta and tb in N 12 to a single transition and this transformation preserves accordance in both directions. This is, in fact, an application of Lemma 5. The next rule, Rule 6, specifies how an alternative branch can be added to an oWFN pattern N 13 depicted on the left hand side of Fig. 11. The pattern N 13 first receives a and then enters either the left or the right branch. In each branch, 28

R

R a

p

+ *

b

tb

tb

b

a

t2

b

b

t3

a

t2

t3

p2

p4

t4

a p3

p3

S

t1 p1

p2

p ta

R

p1

R

ta

t1

S

N9

N12

S

(a) Antipattern: Send and then receive (N 9 ) cannot be reordered (N 12 ). Strat(N 9 ) 6= Strat(N 12 ).

t4

(b) Strategy for N 9 but not for N 12 .

S

t5

(c) Strategy for N 12 but not for N 9 .

Fig. 10. Counterexample.

messages are sent (b and c, respectively), and then messages are received (d and e, respectively). Definition 30 (N13 ). Let N13 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with – P = I ∪ O ∪ {p1 , p2 , p3 }, – T = {ta , tb , tc , td , te }, – F = {(r, ta ) | r ∈ R} ∪ {(td , s) | s ∈ S} ∪ {(te , s) | s ∈ S} ∪ {(a, ta ), (ta , p1 ), (p1 , tb ), (p1 , tc ), (tb , b), (tc , c), (tb , p2 ), (tc , p3 ), (p2 , td ), (p3 , te ), (d, td ), (e, te )}, – I = {a, d, e} ∪ R, – O = {b, c} ∪ S. The pattern N 13 can be transformed into N 16 (the net depicted on the right hand side of Fig. 11) by adding an alternative branch. In this branch, d is received, and then a message f is sent. Afterwards, this branch can be arbitrary; that is, there can be any continuation (including direct continuation in S) of this net illustrated by the frame. First of all, we define an oWFN pattern N 14 specifying the alternative branch to be added to N 13 . N 14 is very general. It is only required that N 14 contains places R and S. N 14 is concretized by defining its subnet N 15 . Afterwards, N 15 , the subnet contained in N 14 , is defined. Finally, N 16 is defined by merging N 13 and N 14 . Definition 31 (N14 ). Let N14 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with R, S ⊂ P , with R = RN13 and S = SN13 . 29

Definition 32 (N15 ). Let N15 = (P, T, F, I, O, m0 , Ω) be a subnet of N14 with – P = RN14 ∪ {p5 , d, f }, p5 ∈ / SN14 – T = {t′d , tf }, – F = {(r, t′d ) | r ∈ RN14 } ∪ {(d, t′d ), (t′d , p5 ), (p5 , tf ), (tf , f )} and in N14 there are no other arcs connected to RN14 , p5 , t′d , tf except outgoing arcs for tf , – I = {d} and d ∈ IN13 , – O = {f }. oWFN pattern N 16 results from merging patters N 13 and N 15 and is defined as follows. Definition 33 (N16 ). Let N16 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with – – – – –

P = PN13 ∪ PN14 , T = TN13 ∪ TN14 , F = FN13 ∪ FN14 , I = IN13 ∪ IN14 , O = ON13 ∪ ON14 .

R

R ta

a

p1 tb

tc

c b

p2

p3

td

te

w

t’d

ta

p5

p1

tf

f

e

tb

a

tc

c b

p2

p3

td

te

e d

d S S

N13

N16

Fig. 11. Rule 6: Adding an alternative branch to N 13 starting with an receiving event results in N 16 . Strat(N 13 ) ⊆ Strat(N 16 ).

Rule 6 specifies that N 13 can be transformed into N 16 while preserving accordance. More detailed, Strat(N 13 ) ⊆ Strat(N 16 ). The correctness of this rule is justified by the following lemma. Lemma 8 (Rule 6: Adding an alternative branch). Let N13 and N16 be as defined. N16 accords with N13 . 30

Proof (Sketch). It is sufficient to prove Strat(N13 ) ⊆ Strat(N16 ). Let U = (PU , TU , FU , IU , OU , m0U , ΩU ) ∈ Strat(N13 ) and N13 is not dead in N13 ⊕ U ; otherwise, we could trivially replace N13 by N16 without violating accordance. We have to show: U ∈ Strat(N16 ). We will prove the lemma by contradiction. Assume that U is no strategy for N16 . This implies that the composition of U and N16 can deadlock because of choosing the (newly added) left branch (i.e., N14 ) in N16 . Consider how U interacts with N13 : U cannot send d or e before it has received b or c. The reason is, the oWFN pattern N13 decides if b or c is sent. Only by knowing that decision, U can react to message b and c being sent by N13 by sending d and e, respectively. As a result, U cannot control (i.e., it cannot enter) the left branch of N16 . Thus, N16 ⊕U cannot deadlock and therefore U is also a strategy for N16 . This contradicts the assumption and hence, Strat(N13 ) ⊆ Strat(N16 ) holds.  However, N 13 accords with N 16 does not hold in general: Assume the left branch of N16 is controllable in isolation. Then there is at least one strategy U ′ for N16 . U ′ had to put a token on place d and thus to control the left branch. This is, in fact, not possible for any strategy for N13 . Thus, U ′ ∈ / Strat(N13 ). The intuition behind the next transformation rule (Rule 7) is the possibility to add (remove) “dead code” to (from) a service. To motivate this transformation rule, consider a party that wants to reuse an existing service in the contract. This service may provide functionality to other parties not involved in the current contract. Technically, in the first step, this party makes internal all interface places of this service that are not used and in the second step, it looks for transformation rules justifying the service to be a valid private view. To formalize Rule 7, we have to define oWFN patterns N 17 –N 21 . N 17 receives a message a, then sends a message b, and finally it can behave arbitrarily. For this purpose, N 17 is defined quite general and concretized by its subnet N 18 . Definition 34 (N17 ). Let N17 be an oWFN N18 = (P, T, F, I, O, m0 , Ω) be a subnet of N17 with

pattern.

Let

further

– P = RN17 ∪ {p1 , a, b}, – T = {ta , tb }, – F = {(r, ta ) | r ∈ R} ∪ {(a, ta ), (ta , p1 ), (p1 , tb ), (tb , b)} and in N17 there are no other arcs connected to RN17 , p1 , ta , tb except outgoing arcs for tb , – I = {a}, – O = {b}. The oWFN pattern on the left hand side of Fig. 12 illustrates N 17 . The arbitrary part of N 17 is depicted by a frame. The oWFN pattern N 21 results from adding an alternative branch to N 17 . This branch can be entered if place c is marked. Afterwards, the branch may behave arbitrarily. In the end, both branches are synchronized in S. However, c is an example of an internal place with empty preset (it is a former interface place). Thus, transition tc will never be enabled. 31

First of all, we define oWFN pattern N 19 , the branch that is added to N 17 . N 19 shares the initial and final marking with N 17 . Definition 35 (N19 ). Let N19 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with R, S ⊂ P , with R = RN17 and S = SN17 . N 19 contains a subnet N 20 which concretizes N 19 . Definition 36 (N20 ). Let N20 = (P, T, F, I, O, m0 , Ω) be a subnet of N19 with – P = RN19 ∪ {c}, – T = {tc }, – F = {(r, tc ) | r ∈ RN19 } ∪ {(c, tc )} and in N19 there are no other arcs connected to RN19 and tc , except outgoing arcs for tc , – I = ∅, – O = ∅. Finally, N 21 depicted on the right hand side of Fig. 12 results from merging the patterns N 19 and N 17 . Definition 37 (N21 ). Let N21 = (P, T, F, I, O, m0 , Ω) be an oWFN pattern with – – – – –

P = PN17 ∪ PN19 , T = TN17 ∪ TN19 , F = FN17 ∪ FN19 , I = IN17 ∪ IN19 , O = ON17 ∪ ON19 .

R

R ta

tc

a

ta

p1

p1 b

tb

=

tb

S

a c

b

S

N17

N21

Fig. 12. Rule 7: Adding an dead code to N 17 results in (N 21 ). Strat(N 17 ) = Strat(N 21 )

Rule 7 preserves accordance in both directions, meaning neither adding nor deleting “dead code” will change the set of strategies for N 17 and N 21 . Consequently, Strat(N 17 ) ⊆ Strat(N 21 ). 32

Lemma 9 (Rule 7: Adding / Removing dead code). Let N17 and N21 be as defined. N17 accords with N21 and N21 accords with N17 . Proof (Sketch). It is sufficient to prove Strat(N17 ) = Strat(N21 ). Place c in N21 is an internal place and the preset of c is empty (i.e., • c = ∅). Since c is not marked in the initial marking of N21 , there will never be a token on c and thus transition tc is dead. Consequently, N19 is dead. Since “dead code” does not affect the set of strategies, we can conclude that Strat(N17 ) = Strat(N21 ).  The seven transformation rules presented in this section reflect the crucial impact of the order of sending and receiving messages. The first two rules show that sequences of sending events and sequences of receiving events can be executed simultaneously while preserving accordance in both directions. This was our motivation to consider only oWFNs where each transition is connected to at most one interface place. Transforming first-send-then-receive into send-and-receiveconcurrently preserves accordance in both directions (Fig. 8). However, firstsend-then-receive cannot be transformed into send-and-receive-simultaneously. In contrast, receive-and-send-simultaneously can be transformed into first-sendthen-receive while preserving accordance (Fig. 9). Consider first-receive-thensend next. It can be transformed into receive-and-send-simultaneously (Fig. 7), but it cannot be transformed into receive-and-send-concurrently. 5.5

Case Study

In this section, we demonstrate how accordance-preserving transformation rules can be applied to derive a private view of the customer from its respective public view, taken from the running example in Fig. 1(a). On first sight, the generated customer depicted in Fig. 13(b) and the (original) customer (depicted again in Fig. 13(a) to ease the comparison) are not very similar. We will now show that the generated customer was derived from the original customer by applying the transformation rules defined in the last two sections: – The messages order and delivery address can be sent simultaneously to the supplier by transition tab (transitions created by merging transitions of the public view are depicted in light gray). The merging of transition ta and tb is justified by Rule 1. – Sending the payment and receiving the shipment can be done concurrently. Therefore we had to add two new internal transitions x and y (newly-added transitions are depicted in dark gray). This transformation is justified by Rule 4. – After receiving the invoice the customer can check the invoice arbitrary times. This is modelled by the newly added loop transition g. – Finally, a new branch was added to the customer, starting with transition f. Intuitively, this branch models additional behavior that is available when 33

p1

p1

tab

a

order

order p2 b p3

delivery address

p3

delivery address

c invoice f cancellation

c invoice

p4

p4

p51

x

g p52 payment

d payment

d

p5

p53

e y

p54 shipment

e shipment p6

p6

generated customer

customer

(a) public view

(b) private view

Fig. 13. The public view (a) and a private view (b) of the agency of Fig. 1(a).

the generated customer is running in a different environment. When cancellation is an input place for messages sent from a (modified) supplier service, the newly-added branch can be triggered by messages. Thus, the generated customer can be reused in a different contract. However, place cancellation is not exposed as interface place, and as it is not marked, the branch is dead. Therefore, the addition is justified by Rule 7. As all rules applied are accordance-preserving, the generated customer in Fig. 13(b) is a correct private view of the customer in Fig. 13(a), and thus accords with the running example contract (cf. Fig. 1(a)).

6

Related Work

As already mentioned in the introduction, the work presented in this paper mainly builds on results presented in [9, 10] where classical workflow nets [15] are used as a formal model and projection inheritance [16, 17] is used for relating the implementation of a contract to the original contract. In this paper, we presented a more generic notion of a contract using open workflow nets. Thus, a public workflow is not restricted to be a workflow net and therefore “massaging”; that is, transforming a possible unconnected net (i.e., a net that consists of several parts) into a workflow net is no longer necessary. Furthermore, our notion of 34

accordance is weaker than projection inheritance since it uses asynchronous message passing rather than synchronous communication as an interaction model. Consequently, we could define accordance-preserving transformation rules which are less restrictive than the rules presented in [9]. The accordance preserving-transformation rules presented in Figures 5–7 can be seen as an enhancement of existing rules for structural refinement and abstraction of Petri nets as presented in [23, 24]. The concept of contracts is also related to the problem when a service can be substituted by another service. Most of this work, however, is restricted to synchronous communication [25–27] whereas we consider asynchronous message passing. Benatallah et al. [27] present four notions of substitutability. In this paper, we cover two of them: equivalence and subsumption. Equivalence in our notion means that both services have the same set of strategies and subsumption means the inclusion of the set of strategies. Fournier et al. present in [28] a refinement relation for CCS processes between a specification S and an implementation I of asynchronous message passing software components. This relation is called stuck-free conformance and formalizes (like weak termination) deadlock-freedom of the system. It further satisfies the substitutability property: If I conforms to S and E is an environment such that the composition of E and S is stuck-free, then the composition of E and I is stuck-free, too. In contrast to accordance, this relation does not allow (similar to inheritance) the re-ordering of sending or receiving events. To check conformance, the model checker Zing [29] is used. The ComFoRT framework [30] analyzes whether a software component S implemented in the programming language C can be substituted by another software component S ′ . S can be substituted by S ′ if the following two criteria hold: (i) every behavior possible in S must also be a behavior of S ′ , and (ii) the new version of the software system must satisfy previously established correctness properties. The idea of using annotated automata as a representation of a set of automata has been first published in [31]. However, to the best of our knowledge, there exists no approach which uses the novel concept of operating guidelines to characterize when a service N can be substituted by a service N ′ .

7

Conclusion

In interorganizational cooperation the involved parties specify a public version of the overall process which serves as a contract. Later on, each party implements its part of the contract (i.e., the public view). Such a local modification is nontrivial as it may cause global errors such as deadlocks. This shows the necessity for a formal framework which guides the user during the modification process. In this paper, we proposed a formal notion of a contract based on open workflow nets. Our correctness criterion, weak termination, guarantees the ability to always be able to terminate properly (e.g., the overall process cannot run into 35

a deadlock or livelock). To decide if the public view N of a party can be substituted by a modified version, the private view N ′ , we presented the notion of accordance. N ′ accords with N if N and N ′ have the same interface and any environment that can cooperate with N can also cooperate with N ′ . The value of our accordance notion is that it can be checked locally and guarantees that the overall workflow preserves the weak termination property. To check accordance automatically, we introduced our concept of operating guidelines. The operating guideline of an oWFN N , OGN , characterizes all oWFNs M (called strategies) such that the composition of M and N weakly terminates. We proved for acyclic finite state oWFNs N and N ′ that N ′ accords with N if the operating guideline of N ′ characterizes at least the strategies that are characterized by the operating guideline of N . In addition, we also presented accordance-preserving transformation rules to derive N ′ from N . Accordance guarantees that the overall process will always terminate properly; that is, the overall process cannot run into a deadlock or livelock. We showed that some of the rules preserve accordance in both directions while other preserve accordance only in one direction. We discussed that the notion of accordance generalizes the notion of projection inheritance [9, 10, 16, 17]. As a consequence, we showed that projection inheritance implies accordance and therefore the inheritance-preserving transformation rules preserve accordance. In ongoing work, we want to generalize our accordance check to cyclic oWFNs. For this purpose, our correctness criterion must also guarantee the absence of livelocks which is more challenging than checking deadlocks. Furthermore, we look for other correctness criteria than weak termination. Moreover, we want to relate the notion of accordance to other equivalence notions described in literature.

References 1. Aalst, W.M.P.v.d., Anyanwu, K.: Inheritance of Interorganizational Workflows to Enable Business-to-Business E-commerce. In Dognac, A., Heck, E.v., Saarinnen, T., et al., eds.: Proceedings of the Second International Conference on Telecommunications and Electronic Commerce (ICTEC 1999), Nashville, Tennessee (1999) 141–157 2. Benjamin, R., Wigand, R.: Electronic markets and virtual value chains on the information superhighway. Sloan Management Review (1995) 62–72 3. Kalakota, R., Whinston, A.B.: Frontiers of Electronic Commerce. Addison-Wesley, Reading, Massachusetts (1996) 4. Malone, T.W., Benjamin, R.I., Yates, J.: Electronic Markets and Electronic Hierarchies: Effects of Information Technology on Market Structure and Corporate Strategies. Communications of the ACM 30(6) (1987) 484–497 5. Merz, M., Liberman, B., Muller-Jones, K., Lamersdorf, W.: Interorganisational Workflow Management with Mobile Agents in COSM. In: Proceedings of Conference on the Practical Application of Agents and Multiagent Systems (PAAM 1996). (1996) 6. The White House: A Framework for Global Electronic Commerce. http://www.ecommerce.gov/framewrk.htm (1997)

36

7. Zwass, V.: Electronic commerce: structures and issues. International Journal of Electronic Commerce 1(1) (1996) 3–23 8. Papazoglou, M.P.: Agent-oriented technology in support of e-business. Commun. ACM 44(4) (2001) 71–77 9. Aalst, W.M.P.v.d.: Inheritance of Interorganizational Workflows: How to agree to disagree without loosing control? Information Technology and Management Journal 4(4) (2003) 345–389 10. Aalst, W.M.P.v.d., Weske, M.: The P2P approach to Interorganizational Workflows. In Dittrich, K.R., Geppert, A., Norrie, M.C., eds.: Proceedings of the 13th International Conference on Advanced Information Systems Engineering (CAiSE 2001). Volume 2068 of Lecture Notes in Computer Science., Springer (2001) 140– 156 11. Kumar, A., Zhao, J.L.: Workflow Support for Electronic Commerce Applications. Decision Support Systems 32(3) (2002) 265–278 12. Sheth, A.P., Aalst, W.M.P.v.d., Arpinar, I.B.: Processes Driving the Networked Economy: ProcessPortals, ProcessVortex, and Dynamically Trading Processes. IEEE Concurrency 7(3) (1999) 18–31 13. Reisig, W.: Petri Nets. EATCS Monographs on Theoretical Computer Science edn. Springer, Berlin, Heidelberg, New York, Tokyo (1985) 14. Massuthe, P., Reisig, W., Schmidt, K.: An Operating Guideline Approach to the SOA. Annals of Mathematics, Computing & Teleinformatics 1(3) (2005) 35–43 15. Aalst, W.M.P.v.d.: The Application of Petri Nets to Workflow Management. The Journal of Circuits, Systems and Computers 8(1) (1998) 21–66 16. Aalst, W.M.P.v.d., Basten, T.: Inheritance of Workflows: An Approach to Tackling Problems Related to Change. Theoretical Computer Science 270(1-2) (2002) 125– 203 17. Basten, T., Aalst, W.M.P.v.d.: Inheritance of Behavior. Journal of Logic and Algebraic Programming 47(2) (2001) 47–145 18. Aalst, W.M.P.v.d.: Inheritance of Interorganizational Workflows to Enable Business-to-Business E-commerce. Electronic Commerce Research 2(3) (2002) 195–231 19. Massuthe, P., Schmidt, K.: Operating Guidelines – an Automata-Theoretic Foundation for the Service-Oriented Architecture. In Cai, K.Y., Ohnishi, A., Lau, M.F., eds.: Proceedings of the Fifth International Conference on Quality Software (QSIC 2005), Melbourne, Australia, IEEE Computer Society (2005) 452–457 20. Lohmann, N., Massuthe, P., Wolf, K.: Operating Guidelines for Finite-State Services. In: Proceedings of the International Conference on Petri Nets and Other Models of Concurrency (ICATPN’07). (2007) accepted. 21. Lohmann, N., Massuthe, P., Stahl, C., Weinberg, D.: Analyzing Interacting BPEL Processes. In Dustdar, S., Fiadeiro, J.L., Sheth, A., eds.: Fourth International Conference on Business Process Management (BPM 2006). Volume 4102 of Lecture Notes in Computer Science., Springer (2006) 17–32 22. Glabbeek, R.J.v., Weijland, W.P.: Branching Time and Abstraction in Bisimulation Semantics. Journal of the ACM 43(3) (1996) 555–600 23. Murata, T.: Petri Nets: Properties, Analysis and Applications. Proceedings of the IEEE 77(4) (1989) 541–580 24. Berthelot, G.: Transformations and Decompositions of Nets. In Brauer, W., Reisig, W., Rozenberg, G., eds.: Advances in Petri Nets 1986 Part I: Petri Nets, central models and their properties. Volume 254 of Lecture Notes in Computer Science., Springer (1987) 360–376

37

25. Bordeaux, L., Sala¨ un, G., Berardi, D., Mecella, M.: When are Two Web Services Compatible? In Shan, M.C., Dayal, U., Hsu, M., eds.: Proceedings of the Fifth International Workshop on Technologies for E-Services (TES 2004). Volume 3324 of Lecture Notes in Computer Science., Springer (2004) 15–28 26. Beyer, D., Chakrabarti, A., Henzinger, T.A.: Web service interfaces. In Ellis, A., Hagino, T., eds.: Proceedings of the 14th international conference on World Wide Web (WWW 2005), ACM (2005) 148–159 27. Benatallah, B., Casati, F., Toumani, F.: Representing, analysing and managing Web service protocols. Data Knowl. Eng. 58(3) (2006) 327–357 28. Fournet, C., Hoare, C.A.R., Rajamani, S.K., Rehof, J.: Stuck-Free Conformance. In Alur, R., Peled, D., eds.: Proceedings of the 16th International Conference on Computer Aided Verification (CAV 2004). Volume 3114 of Lecture Notes in Computer Science., Springer (2004) 242–254 29. Rajamani, S.K., Rehof, J.: Models for Contract Conformance. In Margaria, T., Steffen, B., eds.: First International Symposium on Leveraging Applications of Formal Methods (ISoLA 2004). Volume 4313 of Lecture Notes in Computer Science., Springer (2006) 181–196 30. Sharygina, N., Chaki, S., Clarke, E.M., Sinha, N.: Dynamic Component Substitutability Analysis. In Fitzgerald, J., Hayes, I.J., Tarlecki, A., eds.: Proccedings of the International Symposium of Formal Methods Europe (FM 2005). Volume 3582 of Lecture Notes in Computer Science., Springer (2005) 512–528 31. Wombacher, A., Fankhauser, P., Mahleko, B., Neuhold, E.J.: Matchmaking for business processes based on choreographies. Int. J. Web Service Res. 1(4) (2004) 14–32

38